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Examiner's Amendment 

1 . An examiner's amendment to the record appears below. Should 
the changes and/or additions be unacceptable to applicant, an amendment may 
be filed as provided by 37 CFR 1 .312. To ensure consideration of such an 
amendment, it MUST be submitted no later than the payment of the issue fee. 

2. Authorization for this examiner's amendment was given in a 
telephone interview with Applicant's representative, Mr. John Garrity (Reg. No. 
60,470), on October 27, 2009. 

3. The application has been amended as follow: 

4. In the claim : 

1 . (Currently Amended) A method, comprising: 

performing an automated security scan of a second network device by a 
first network device to determine at least one of a hardware or software capability 
of the second network device; 

determining an attribute for the second network device based, in part, on 
the determined capability; 

generating an attribute certificate for the second network device based in 
part on the attribute; 

storing the attribute certificate including the attribute on a device other 
than the second network device; 

receiving, at the first network device, an authentication request from the 
second network device for access to a resource over a network; 
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verifying the authentication request from the second network device, or 
else terminating communication with the second network device; 

responsive to verifying the authentication request from the second network 
device, the first network device requesting and receiving from the other device 
the stored attribute certificate for the second network device; and 

the first network device determining whether the received attribute 
certificate for the second network device is valid, where if the attribute certificate 
is determined valid, authorizing access to the resource over the network based, 
in part, on the attribute associated with the attribute certificate, or else 
terminating communication with the second network device , wherein the validity 
of the received attribute certificate is based on factors comprising: a date range 
of the attribute certificate, a digital signature on the attribute certificate, and a 
comparison of an identity listed in the attribute certificate with the verified 
authentication reguest . 

2. (Canceled). 

3. (Original) The method of claim 1 , wherein the attribute is further 
determined based, in part, on a condition to be satisfied. 

4. (Previously presented) The method of claim 1 , where the validity of the 
received attribute certificate is based on factors comprising at least one of a date 
range of the attribute certificate, a digital signature on the attribute certificate, and 
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a comparison of an identity listed in the attribute certificate with the verified 
authentication request. 

5. (Previously presented) The method of claim 1 , wherein the attribute is 
further associated with at least one of a group of users and a group of network 
devices. 

6. (Previously Presented) The method of claim 1 , wherein the attribute 
certificate is generated by at least one of the first network device, an access 
server, and an attribute authority. 

7. (Previously presented) The method of claim 1, wherein the attribute 
certificate is stored in at least one of the first network device, and an attribute 
repository. 

8. (Original) The method of claim 7, wherein the attribute certificate is 
provided to an access server through the use of at least one of a cookie, a 
program, and a manual upload. 

9. (Currently Amended) An apparatus, comprising: 

an interface configured to perform an automated security scan of a 
network device to determine at least one of a hardware or software capability of 
the network device; 
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a processor configured to determine an attribute for the network device 
based, in part on the determined capability; 

the processor further configured to generate an attribute certificate for the 
network device based, in part, on the attribute; 

the interface configured to store the attribute certificate including the 
attribute on a device other than the network device; 

the processor configured to receive an authentication request from the 
network device for access to a resource over a network; 

the processor configured to verify the authentication request from the 
network device, or else to terminate communication with the network device; 

responsive to verifying the authentication request from the network device, 
the processor and the interface are configured to request and receive from the 
other device the stored attribute certificate for the network device; and 

the processor is configured to determine whether the received attribute 
certificate for the network device is valid, where if the attribute certificate is 
determined valid, the processor is configured to authorize access to the resource 
over the network based, in part, on the attribute associated with the attribute 
certificate, or else terminate communication with the network device , wherein the 
validity of the received attribute certificate is based on factors comprising: a date 
range of the attribute certificate, a digital signature on the attribute certificate, and 
a comparison of an identity listed in the attribute certificate with the verified 
authentication reguest . 
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10. (Previously Presented) The apparatus of claim 9, wherein the 
processor is further configured to generate the attribute certificate based on a 
condition to be satisfied. 

1 1 . (Canceled). 

12. (Canceled). 

13. (Previously Presented) The apparatus of claim 9, wherein the interface 
is further configured to send the attribute certificate to an attribute repository to 
be stored. 

14. (Currently Amended) A device for managing authorization to a 
resource over a network, comprising: 

means for performing an automated security scan of a network device to 
determine at least one of a hardware or software capability of the network device; 

means for determining an attribute for the network device based, in part, 
on the determined capability of the network device; 

means for generating an attribute certificate for the network device, 
wherein the attribute certificate is based in part on the attribute; 

means for storing the attribute certificate on a device other than the 
network device; 
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means for receiving an authentication request from the network device for 
access to a resource over the network; 

means for verifying the authentication request from the network device, or 
else terminating communication with the network device; 

means, responsive to verifying the authentication request from the 
network for requesting and receiving from the other device the stored attribute 
certificate for the network device; 

means for determining whether the received attribute certificate for the 
network device is valid, where if the attribute certificate is determined valid, and 

means for authorizing access to the resource over the network based, in 
part, on the attribute associated with the attribute certificate, or else for 
terminating communication with the network device , wherein the validity of the 
received attribute certificate is based on factors comprising: a date range of the 
attribute certificate, a digital signature on the attribute certificate, and a 
comparison of an identity listed in the attribute certificate with the verified 
authentication request . 

15. (Previously Presented) The device of claim 14, where the means to 
perform an automated scan comprises an interface; and the means for 
determining, generating, storing, and means responsive comprises a central 
processing unit coupled to the interface and further coupled to a memory. 
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16. (Currently Amended) A computer readable medium encoded with a 
computer program executable by a processor to perform actions comprising: 

performing an automated security scan of a network device to determine 
at least one of a hardware or software capability of the network device; 

determining an attribute for the network device based, in part, on the 
determined capability; 

generating an attribute certificate for the network device based in part on 
the attribute; 

storing the attribute certificate including the attribute on a device other 
than the network device; 

receiving an authentication request from the network device for access to 
a resource over a network; 

verifying the authentication request from the network device, or else 
terminating communication with the network device; 

responsive to a verified authentication request from the network device, 
requesting and receiving from the other device the stored attribute certificate for 
the network device; and 

determining whether the received attribute certificate for the network 
device is valid, where if the attribute certificate is determined valid, authorizing 
access to a resource over a network based, in part, on the attribute associated 
with the attribute certificate, or else terminating communication with the network 
d evice , wherein the validity of the received attribute certificate is based on factors 
comprising: a date range of the attribute certificate, a digital signature on the 
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attribute certificate, and a comparison of an identity listed in the attribute 
certificate with the verified authentication request . 

Reasons for Allowance 

5. Claims 1, 3-10 and 13-16 are allowed. 

6. This communication warrants no examiner's reason for allowance, 
as applicant's reply makes evident the reason for allowance, satisfying the record 
as whole as required by rule 37 CFR 1 .104 (e). In this case, the substance of 
applicant's remark filed on June 09, 2009 with respect to arguments that point 
out and make clear the reason claims are patentable over the prior art of record. 
Thus, the reason for allowance is in all probability evident from the record and no 
statement for examiner's reason for allowance is necessary (see MPEP 
13202.14). 

7. Any comments considered necessary by applicant must be 
submitted no later than the payment of the issue fee and, to avoid processing 
delays, should preferably accompany the issue fee. Such submissions should be 
clearly labeled "Comments on Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Thu Ha Nguyen, whose telephone number is 
(571) 272-3989. The examiner can normally be reached Monday through Friday 
from 8:00 AM to 6:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Joseph Thomas, can be reached at (571) 272-6776. 
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The fax phone numbers for the organization where this application or 
proceeding is assigned are (571 ) 273-8300 for regular communications. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov . Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 
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